HTTP Strict Transport Security (HSTS)
Parameters#
Parameter | Details |
---|---|
max-age=31536000 |
Time in seconds. HSTS will be enforced for this future time period. |
includeSubDomains |
HSTS should be applied for this domain and all of its sub-domains. |
preload |
This domain agrees to be included in a HSTS pre-load list |
Remarks#
See also
HSTS Header
Strict-Transport-Security: max-age=31536000; includeSubDomains
Strict-Transport-Security
is a promise to the browser that all future requests to this domain will be secure.
For the future time period max-age
:
- All outgoing HTTP requests from the browser will be converted to HTTPS on the client (not an HTTP redirect).
- If the certificate is invalid (e.g. outdated or self-singed), the user will be unable to white-list it and the site will remain inaccessible.
HSTS behavior is meant to eliminate Man-in-the-Middle attacks that use HTTPS stripping, issuing of invalid certificates (and expecting the user to add and exception), and redirecting on HTTP requests to another destination.
HSTS preload list
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
HSTS is activated only after a successful HTTPS request to the server with a valid certificate. There is still a risk of a first-time user accessing the site, at which point a Man-in-the-Middle attack is possible.
To make the site secure even before the first request the domain can be added to a preload list, already configured in browsers.
The preload
parameter is not used by the browsers directly, but it an indiciation to the browser developers that the site developers really asked to be added to the preload list.